Misconfigured ElasticSearch Server Exposes Millions of Bing Mobile Users' Data

A misconfigured server recorded data from the Bing mobile application.

WizCase security team discovered that a Microsoft‑owned server logging Bing mobile app data leaked a large amount of information through an insecure ElasticSearch server.

The research was led by white‑hat hacker Ata Hackil, who noted that the poorly secured server allowed third parties to obtain sensitive data such as search queries.

The Bing mobile app is available in both Google and Apple app stores, with over 10 million downloads on Google Play and millions of searches performed daily.

WizCase researchers found an exposed ElasticSearch database that stored plaintext search terms, location coordinates, and detailed device information.

The server also logged the exact time of each query, device model, Firebase notification token, URLs visited from search results, and coupon data.

Leaked data included unique identifiers such as ADID, Devicehash, and DeviceID, as well as operating system details.

If users had enabled location permissions in the Bing app, the server exposed precise location data within a 500‑meter radius, providing approximate user whereabouts.

Fortunately, personal data such as names were not leaked, and users in private mode were unaffected.

WizCase researchers warned that any leaked data could enable phishing, ransomware, and other malicious activities by linking user identity with location and search queries.

Some of the recorded search queries were disturbing, including searches for child abuse content.

Attackers could infer daily activities, cash holdings, or valuable items from the search data, increasing robbery risk.

The Bing mobile app data was stored on a 6.5 TB server that was password‑protected until September 10. It was found unprotected on September 12, reported to Microsoft, and secured by September 16.

WizCase researcher Chase Williams said the exact number of affected users is unknown but likely large, with records from users in over 70 countries.

The server suffered Meow attacks from September 10 to 14, nearly deleting the entire database; by September 12, one hundred million records had been collected since the attack.

Given ElasticSearch’s history of data leaks and misconfigured databases exposing billions of records in recent years, this incident was not surprising.

Microsoft claimed the leaked data volume was small, stating the issue was resolved and that the exposed data could not identify individual users.